CIS/CCE vs TDSS rootkit


Today, I encountered an infected system, I cleaned it with CCE 1.6 (Release version, not beta), it found some malware and removed them.

I then installed CIS on that system, and was found that the system was running very slow.

I ran a full scan again, this time CIS found some more infections (rootkit infection reported in registry), but failed to remove it. I tried it twice, and it failed again and again.

I tried to run malwarebytes but I could not, so I ran SuperAntiSpyware which then found a TDSS rootkit and asked for a reboot to clean it. It has shown that it cleaned it successfully, but a second scan with it again showed up with the same result.

I did some google search and disabled the hidden service nnewne.sys and then downloaded Kaspersky TDSS remover, It found the rootkit and deleted it on reboot.

I tried many ways to copy the infected file (I was in the hope of submitting the sample to Comodo Labs) C:\windows\system32\drivers\nnewne.sys , but it resulted in various errors, and I could not succeed (it says the filesystem can not read the file and so on…). The most I could do is to backup the contents of SuperAntiSpyware and TDSSKiller quarantine folders. I also took a few screenshots of the scans.

I am attaching the screenshots here, I can send the quarantine folder archives if needed to any moderator.

The most worrying thing for me is that CCE 1.6 did not even detect the rootkit. Please verify it.

The surprising thing is that Comodo could identify and quarantine the rootkit in TDSSKiller quarantine, you can see it in the screenshot, but could not do it while the rootkit was active.

I also found gylmiuepn296F4BEC.tmpalong with nnewne.sys in SuperAntiSpyware results, which was found malicious in VirusTotal results (22/43), I already submitted this sample to Comodo Labs. (Thought, it would be of any relevance)

[attachment deleted by admin]

I think bootable rescue disk(s) are still better solution for cleaning an infected PC…

Can somebody please confirm this? Can’t comodo clean rootkits?

It’s supposed to clean them, but as always rootkits are nasty things.

Please try GMER next time so see if you can force a copy of the malware to be saved on disk, it has a file explorer that allows a little more then the average explorer.

Do you happen to have the TDSS Killer scan results file does it show which version of TDSS it found?

I have the screenshot that I took of the results, which I have attached in my first post. It does not seem to include any version info.

I have the TDSS Killer Quarantine archive, I can PM it to you if it is of any use…

Yes please can you send me a PM on how to exchange the file(s).